SANS FOR518: Mac and iOS Forensic Analysis and Incident Response

What You Will Learn
Digital forensic and incident response investigators have traditionally dealt with Windows machines, but what if they find themselves in front of a new Apple Mac or iDevice? The increasing popularity of Apple devices can be seen everywhere, from coffee shops to corporate boardrooms. Dealing with these devices as an investigator is no longer a niche skill - every analyst must have the core skills necessary to investigate the Apple devices they encounter.

The constantly updated FOR518: Mac and iOS Forensic Analysis and Incident Response course provides the techniques and skills necessary to take on any Mac or iOS case without hesitation. The intense hands-on forensic analysis and incident response skills taught in the course will enable analysts to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. In addition to traditional investigations, the course presents intrusion and incident response scenarios to help analysts learn ways to identify and hunt down attackers that have compromised Apple devices.

Forensicate Differently!

FOR518: Mac and iOS Forensic Analysis and Incident Response will teach you:

Mac and iOS Fundamentals: How to analyze and parse the Apple File System (APFS+) by hand and recognize the specific domains of the logical file system and Mac-specific file types.
User & Device Activity: How to understand, profile, and conduct advanced pattern-of-life on users and they devices through their data files and preference configurations.
Advanced Intrusion Analysis and Correlation: How to determine how a system has been used or compromised by using the system and user data files in correlation with system log files.
Apple Technologies: How to understand and analyze many Mac and iOS-specific technologies, including Time Machine, Spotlight, iCloud, Document Versions, FileVault, Continuity, and FaceTime.
FOR518: Mac and iOS Forensic Analysis and Incident Response aims to train a well-rounded investigator by diving deep into forensic and intrusion analysis of Mac and iOS. The course focuses on topics such as the APFS file system, Mac-specific data files, tracking of user activity, system configuration, analysis and correlation of Mac logs, Mac applications, and Mac-exclusive technologies. A computer forensic analyst who completes this course will have the skills needed to take on a Mac or iOS forensics case.

FOR518 Will Prepare You To

Parse the HFS+ file system by hand, using only a cheat sheet and a hex editor
Understand the APFS file system and its significance
Determine the importance of each file system domain
Conduct temporal analysis of a system by correlating data files and log analysis
Profile how individuals used the system, including how often they used the system, what applications they frequented, and their personal system preferences
Identify remote or local data backups, disk images, or other attached devices
Find encrypted containers and FileVault volumes, understand keychain data, and crack Mac passwords
Analyze and understand Mac metadata and their importance in the Spotlight database, Time Machine, and Extended Attributes
Develop a thorough knowledge of the Safari Web Browser and Apple Mail applications
Identify communication with other users and systems though iChat, Messages, FaceTime, Remote Login, Screen Sharing, and AirDrop
Conduct an intrusion analysis of a Mac for signs of compromise or malware infection
Acquire and analyze memory from Mac systems
Acquire iOS and analyze devices in-depth
Course Topics

In-Depth HFS+ File System Examination and an Introduction to APFS
File System Timeline Analysis
Advanced Computer Forensics Methodology
Mac-Specific Acquisition and Incident Response Collection
Mac Memory Acquisition and Analysis
File System Data Analysis
Metadata Analysis
Recovery of Key Mac Files
Volume and Disk Image Analysis
Analysis of Mac Technologies, including Time Machine, Spotlight, and FileVault
Advanced Log Analysis and Correlation
iDevice Analysis and iOS Artifacts